📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Deobfuscation Tips
  • 3. Examples

Was this helpful?

  1. Malware Analysis

Dosfuscated Scripts

PreviousMemory dump analysisNextAndroid Malware

Last updated 3 years ago

Was this helpful?

1. Introduction

Obfuscation refers to various techniques for modifying the source code of a program in such a way that it is difficult for analysts to analyze it. The effort required for reverse-engineering a malware thus increases significantly. In addition, the malicious code cannot be detected as easily by automated analysis. To obfuscate code, for example, individual letters can be replaced by others, and individual components of a program or files can be encrypted.

Attackers often use to hide their maliscious cmd or powershell payloads.

I've discovered a really cool IT-Security blog which shows us obfuscated examples and howto decode them:

2. Deobfuscation Tips

  • Replace "CMD" and "PowerShell" verbs (could be obfuscated) at the end with "echo"

  • Find the final variable that holds the deobfuscated content then replace the execution verb with "echo" or "set"

  • If you use "set" then get rid of the percent signs (%) before and after the variable name

  • A variable name could contain spaces, or more specifically, end with a space so cleaning up the script or extracting the variable name with too little or too much spaces will likely result in failure

  • Sometimes you can delete everything after the pipe (|) (but if the script has a double-quote at the end then be sure you keep it)

  • Change "call" to "echo" then reference the previously assigned variable with surrounding quotes (!var!)

3. Examples

At the bottom is a "DO %b /c %wZ%". The "DO %b" is "cmd /c" and "%wZ%" is the variable we want to see the contents of. So you just make the change you see

If you paste this to the CMD prompt and let it run you can see that the deobfuscated content is "net user".

Here's one example where you can delete everything after the pipe which is near the end of the script.

The result is shown at the very bottom.

Here's a reversed script where you can replace the "%TMP:~-8 ... -12,+1%" at the end with "echo".

And "net user" is the result.

In this example, you can replace the "call" at the end with "echo" and then you get the variable to the left of the equal sign. Look for the double-exclamation marks and take one of them.

The result is "net user" again.

In this last example, you can replace "echo" with "set" and remove the percent signs at the beginning and end. Do also remove the pipe up to the closest parenthesis.

And get this result.

Obfuscation framewoks
Deobfuscating DOSfuscated Scripts | Kahu Security
Logo